Merge changes I179c05b3,Ia529ede4
* changes:
Add dac_read_search to apexd to prevent spurious denials.
Allow apexd to execute toybox for snapshot & restore.
diff --git a/private/file_contexts b/private/file_contexts
index be1453a..eafbd3e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -344,7 +344,6 @@
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
#############################
@@ -447,6 +446,8 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
diff --git a/private/platform_app.te b/private/platform_app.te
index 3beec38..76eaae6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,6 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index c618253..969ab9c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -64,8 +64,8 @@
# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;
-# Read system properties managed by zygote.
-allow webview_zygote zygote_tmpfs:file read;
+# Read and inspect temporary files (like system properties) managed by zygote.
+allow webview_zygote zygote_tmpfs:file { read getattr };
# Child of zygote.
allow webview_zygote zygote:fd use;
allow webview_zygote zygote:process sigchld;
diff --git a/public/service.te b/public/service.te
index 9472f77..76e642d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,7 +101,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, app_api_service, system_server_service, service_manager_type;
+type platform_compat_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;